1. Field of the Invention
The present invention relates to a tamper resistant microprocessor capable of preventing the illegal alteration of execution codes and processing target data under the multi-task program execution environment, which has a large capacity internal memory capable of storing a plurality of programs and their work areas, that is provided inside a package.
2. Description of the Related Art
The open system is widely spread today as an information network system. In the open system, hardware information of a computer for general user such as PC and system program (or OS) information are disclosed, and the end-user can make any desired improvement by modifying the system program.
Under such a circumstance, in order to guarantee the copyright protection for data handled by application programs or the copyright protection for programs themselves, there is a need for hardware that protects the secret of the program, which is based on the presumption that the OS of the system can carry out hostile operations with respect to applications. Such hardware has been proposed especially in a form of a microprocessor (see commonly assigned co-pending U.S. patent application Ser. No. 09/781,158 and No. 09/781,284; and Lie et al., “Architectural Support for Copy and Tamper Resistant Software”, Computer Architecture News 28(5), pp. 168-).
These microprocessors have a function for encrypting a program and data handled by that program under the multi-task environment in order to protect them from the peeping and the alteration. In the following, such a microprocessor will be referred to as a tamper resistant microprocessor.
The main purpose of the tamper resistant microprocessor is to protect the rights of the copyright owners of programs, contents and network services by protecting applications operated on the end-user's system. More specifically, three major concerns are:
(1) the protection of secrets of algorithms implemented in programs;
(2) the protection of secrets of trade secrets and contents embedded in programs, or the protection against the illegal copying; and
(3) the protection of the program operations and the processing results against the alteration.
The protection of algorithms implemented in programs is necessary in order to protect the copyright owners of the programs. The protection of the trade secrets embedded in programs is necessary in order to prevent illegal copies of copyright protected contents handled by the programs. In the application in which a program that utilizes a network service exchanges a charging information with a server, it is particularly important to prevent the illegal alteration so that the charging information transmission operation is executed properly, for the purpose of protecting the right of the service provider. As a practical example, it is well known that a program for reproducing DVD on PC was analyzed to obtain the trade secret for decrypting the encryption of DVD and a program (DeCSS) for illegally copying DVD was produced.
Here, the currently proposed application program secret protection mechanisms in the open system will be briefly described, according to the proposition made by the present inventors and others (see commonly assigned co-pending U.S. patent application Ser. Nos. 09/781,158, 09/781,284, 09/984,407 and 10/059,217, for example). The exemplary mechanism described here has the feature that it is capable of protecting secrets independently from the OS that manages the system resources, for each one of a plurality of programs of a plurality of program vendors that are to be operated in a pseudo-parallel manner on a single system. Such a protection environment will be referred to as a “multi-party application protection environment”.
FIG. 11 shows an outline of the currently proposed multi-party application protection environment. A target system (PC, for example) 1102 has a built-in tamper resistant microprocessor 1103, as well as a secondary memory 1107 such as hard disk and a memory 1108 provided at external of the processor. The system 1102 and a user 1112 constitute a system environment 1101.
A plurality of different program vendors 1121-1 to 1121-n respectively deliver the encrypted programs 1123-1 to 1123-n to the target system 1102 through a network. The encrypted program will be also referred to as a protected program.
The encrypted program delivered from the vendor is stored in the secondary memory 1107 of the target system 11-2, and read into a region 1109 secured on the external memory 1108 at a time of the execution. On the external memory, the program is still in the encrypted state. The encrypted program is decrypted when it is read from the external memory 1108 into the microprocessor 1103. The decryption processing is carried out by the protection function 1106 by using a key sent from the vendor in correspondence to each program. The decrypted program is read into the cache memory 11-4. In the decryption of the program and the reading into the cache memory 1104, the entire program is not read all at once, and the reading is carried out portion by portion according to the execution of the program. The program portion read into the cache memory is in the plaintext state.
Inside the microprocessor 1102, the program is handled in the plaintext form by the protection function 1106, and there is no room for the OS 1110 to intervene. Also, the content of the cache memory 1104 cannot be directly read from the external, except for the operation defined by the specification of the microprocessor 1103.
On the other hand, in recent years, due to the advance of the integrated circuit technology, it becomes possible to implement a large capacity memory within the same package as the microprocessor. In such an internal memory type processor, even though there is a limit to the maximum memory capacity, there is a possibility of reducing the encryption processing load at times of the memory reading or writing which has been an overhead in the conventional tamper resistant processor that presupposes the external memory.
However, even if the memory is arranged inside the microprocessor as an internal memory, the memory resource management is under the management of the OS so that there is a possibility for the hostile operations by the OS. Consequently, in the internal memory type microprocessor, there is a need for the program secret protection under the management of the OS, but there has been no concrete proposition for realizing the secret protection.
In addition, in the case of processing a plurality of different encrypted programs rather than a single program, in a pseudo-parallel manner in the internal memory type microprocessor, there is a need to guarantee the secret protection for each one of a plurality of programs individually, but there has been no proposition in this regard either.
In order to realize the multi-task processing while guaranteeing the secret protection in the internal memory type tamper resistant microprocessor, the following should be taken into consideration:
(1) the integrity of the memory operations that can protect a plurality of programs from the intentional alteration;
(2) the compatibility of the resource management by the OS and the secret protection of the internal memory; and
(3) the communications between the task and the OS.
More specifically, in the case where some task carries out the “n” memory operations with respect to some address in the internal memory, it must be protected during this process from the memory operations by another task as well as from the intentional attack by the OS. This is because the execution of the task comprises many instruction steps, and the correct result can be obtained only when all of these are executed correctly. In the case where the attacker including the OS executes only some part of the program or excludes only a specific operation among a series of memory operations, the operation of the program is willfully changed and the correct program execution becomes impossible.
Also, at a time of the memory page operation that is carried out by the OS as a part of the resource management, there is a possibility for an attack utilizing the release of the memory, and in order to eliminate such an attack, there is a need to make the resource management and the program secret protection compatible.
In addition, when the task issues a system call, the data exchange with the OS is carried out and for this purpose there is a need to carry out the communications by sharing the memory with the OS.
Here, consider the internal memory type processor to which the protection mechanism of the conventional external memory type tamper resistant microprocessor is directly applied. First, the main internal memory is divided into units (4 Kbyte pages) called blocks or pages. Inside the processor, a table for maintaining the secret protection attribute for each memory page is provided, where a table entry maintains the secret protection attribute of a corresponding memory page. In the secret protection attribute descriptor of the memory page operated by the task TØ, the ID of the task TØ is automatically set such that it becomes impossible for the other tasks including the OS to read or write the content in plaintext.
However, the OS can forcefully release the secret protection attribute of some memory page for the purpose of the re-utilization of the memory page. When the secret protection attribute of the memory page is released, the content of the page is completely deleted and initialized to the prescribed value, so that the secret of the original task can be protected.
Now, suppose that the task TØ carries out the “n” memory operations Op1 to Opn with respect to the memory page MØ of some address AØ, from the initial state of the memory page MØ. The initial state may be indeterminate, and the purpose is to obtain the result in the final state by surely carrying out the operations Op1 to Opn. Of course the memory operations by another task should not be mixed during this process.
The memory operation by the general task can be eliminated by the conventional external memory type protection mechanism. However, an attack in which the OS releases the secret protection attribute of the memory page MØ and then rewrites this page by the intended data of the attacker cannot be eliminated or detected even when the external memory type protection mechanism is directly applied to the internal memory type. The secret of data before the releasing of the secret protection attribute can be protected, but the replacement by the other data cannot be prevented.
As a result, the attacker having the OS privilege can freely rewrite the secret memory content of the task according to the attacker's intention.
The forceful releasing of the secret protection attribute of the memory page can be a threat to the task secret protection. However, under the multi-task system, it is impossible to use a configuration which does not have such a forceful release function such that only the task itself can release the protection attribute, because in such a configuration, it becomes impossible for the OS to control the situation where some task occupies an excessively large part of the memory.
Also, the memory access in the non-protected state for the purpose of carrying out communications between the OS and the task and the protected memory access must be compatible.